The Personal Data Protection Commission (PDPC) has issued a media release on stepping up enforcement action from 1 January 2027 against private organisations that use NRIC numbers for authentication purposes.

Organisations should review their authentication methods and transit to more secure alternatives, as outlined in the Joint Advisory by the PDPC and Cyber Security Agency of Singapore (CSA) in June 2025. Using NRIC numbers for authentication increases the risk of unauthorised access, and organisations that continue such practices may be found in breach of their PDPA obligations for failing to implement reasonable security arrangements to protect personal data.

To support organisations that manage personal data including NRIC numbers, PDPC has also published an advisory on common data protection lapses with recommended measures.

Read more:

• Media Release: Organisations To Cease the Use of NRIC Numbers for Authentication by 31 December 2026
• Advisory on Common Data Protection Lapses and Recommended Measures
• FAQs for Organisations
• FAQs for Individuals